ASA Active active

Unanswered Question
Aug 11th, 2008

Ok i have attached two images to this message, First i would like u to check that out to get a brief idea.


As you can see from the image named "before" i have a cisco 6500 Switch, a ASA 5510, and a link load balancer for load balancing between two links configured as Active/standby with VRRP.


Important points

Currently

1. I have a default route configured on the Cisco 6500 routing all traffic to the firewall inside interface through an L3 interface configured on the Switch.


2. Default route on the ASA routing all traffic to the Radware.


So now comes the actual Scenario.


Checkout the Image named " After"


Yes, I am planning to configure Active/Active failover. I know all the disadvantages and i am happy i dont require any of the "can't do's" mentioned


Now in the Active/active failover i have seen something like VLANS configured on the ASA.

- My main doubt is where will i route all the traffic on the switch to, I'll now have 2 gateway addresses for two different groups configured on the ASA.


And should i trunk between the Firewall and the l2 switches used in between.


2nd thing what about the outside part, what will the reverse route on the radware be , will it be reverse route to 2 different Ip's for the same inside network


And also do i need trunking on the ASA outside as well, Im not sure the radware supports Sub-interfaces and VLAn tags, I am sure that i can use 2 ip addresses on a single interface of the radware though.

thats not required probably



After this lengthy story, if someone understood something please try to clarify my big and almost stupid doubts.



And i am keen on the Active/active config, please dont try to convince me suggesting Active/standby unless all the above mentioned is completely impossible.



Thankyou very much



Victor



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Daniel Voicu Mon, 08/11/2008 - 23:02

Hi Victor,


Let me try to explain what active/active means. Basically, you have two devices passing completely different traffic (as it works only with multiple context). So if you have two distinct traffic flows that you don't want to mix, you use active/active. For each flow there will be an active/standby failover, but since there are two flows in the same time, Cisco calls it active/active.


If the above stuff is understood, and you still want to go with multiple context on the ASAs, you need to start thinking of a rule to split the traffic flows in two, most likely you will want one ASA context on ISP1 and one ASA context on ISP2.


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/failover.html


You can use one interface for multiple contexts (thus no need for VLANs), but that will create some headache when classifying the traffic:


http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/contexts.html

"How the Security Appliance Classifies Packets" chapter



Please rate if this helped.


Regards,

Daniel

victor_87 Tue, 08/12/2008 - 03:44

I am now getting some idea, so Active/Active is for 2 different traffic flows having two different gateways.


So there is no way of sending half the traffic from one gateway and the other half from the other with manually configuring route-map's etc on the Switch or something.



I wanted that kind of scenario wherein the traffic is automatically divided into 2 , somewhat like GLBP implementation.


tell me if there is something like that,


Anyway thankyou for helping me finally glow the light in my head.



Daniel Voicu Tue, 08/12/2008 - 04:54

Hi,


ASA has no mechanism for load balancing like GLBP. Manually configuring route-maps on switch is like creating static routes, it will not allow for a failover (no dynamic behavior).


What you need there is good old-fashion active/standby. Easy to setup and maintain.


Sorry mate :)


Cheers,

Daniel

Actions

This Discussion